[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 8 months
Policy for CouchDB
by Michael Milverton
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=?
addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of
course). Couchdb runs under the username/group couchdb but I haven't added
any transition rules for this yet (any help on this would be appreciated).
FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;
type proc_t;
}
type couchdb_t;
domain_type(couchdb_t)
permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)
# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t;
files_read_etc_files(couchdb_t)
# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.
domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
12 years
SELinux policy for both Enterprise Linux 5 and 6
by Brian Ginn
I have SELinux policy that is compiled on Red Hat Enterprise Linux 5.
This policy fails to install on Red Hat Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?
Thanks,
Brian
12 years, 3 months
dovecot 2.1
by Paul Howarth
Dovecot 2.1, just introduced (well, 2.1.rc1) in Rawhide, has a new FIFO
file /var/run/stats-mail, and needs additional policy to create and use it:
# Needed for dovecot 2.1
allow dovecot_t dovecot_var_run_t:fifo_file { read write create open
unlink };
Paul.
12 years, 3 months
libselinux python binding of restorecon different from restorecon command
by Paul Howarth
I maintain a local RPM package repository and have a "newrepo" script that assembles the repository, calls createrepo and repoview etc.
During the script it runs "restorecon" on all of the files in the repo to make sure that they have the correct contexts to be accessible via http etc.
A few weeks ago I rewrote the script in python and decided to use the libselinux-python binding (this is on F16) for the "restorecon" call. Around the same time I noticed that my backups were getting a lot bigger but I've only just discovered why. If I use the shell command "restorecon -rvF /path/to/dir", and it doesn't need to change anything, the ctime of the dirs/files concerned remain unchanged. However, if I use the python binding, the ctime is updated. So I've backing up the entire repository on each incremental backup :-(
[paul@zion ~]$ ls -l --time=ctime /home/paul/cfo-repo/drivers/advansys/
total 11896
-rw-rw-r--. 1 paul paul 649700 Nov 29 11:54 advansys-driverdisk.zip
-rw-rw-r--. 1 paul paul 4175872 Nov 29 11:54 advansys-fc2-boot.iso
-rw-rw-r--. 2 paul paul 108723 Nov 29 11:54 dkms-2.2.0.2-1.noarch.rpm
-rw-rw-r--. 2 paul paul 132593 Nov 29 11:54 dkms-2.2.0.2-1.src.rpm
-rw-rw-r--. 1 paul paul 10400 Nov 29 11:54 HEADER.html
-rw-rw-r--. 1 paul paul 287602 Nov 29 11:54 kernel-advansys-0.9.1-1dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 228573 Nov 29 11:54 kernel-advansys-0.9.1-1dkms.src.rpm
-rw-rw-r--. 1 paul paul 620915 Nov 29 11:54 kernel-advansys-0.9.2-1dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 457045 Nov 29 11:54 kernel-advansys-0.9.2-1dkms.src.rpm
-rw-rw-r--. 1 paul paul 607931 Nov 29 11:54 kernel-advansys-0.9.3-2dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 461727 Nov 29 11:54 kernel-advansys-0.9.3-2dkms.src.rpm
-rw-r--r--. 1 paul paul 1234354 Nov 29 11:54 kernel-advansys-0.9.4-1dkms.noarch.rpm
-rw-r--r--. 1 paul paul 907444 Nov 29 11:54 kernel-advansys-0.9.4-1dkms.src.rpm
-rw-rw-r--. 2 paul paul 1286253 Nov 29 11:54 kernel-advansys-0.9.5-1dkms.noarch.rpm
-rw-rw-r--. 2 paul paul 981819 Nov 29 11:54 kernel-advansys-0.9.5-1dkms.src.rpm
[paul@zion ~]$ date; restorecon -rvF /home/paul/cfo-repo/drivers/advansys/; date
Tue Nov 29 12:02:54 GMT 2011
Tue Nov 29 12:02:54 GMT 2011
[paul@zion ~]$ ls -l --time=ctime /home/paul/cfo-repo/drivers/advansys/
total 11896
-rw-rw-r--. 1 paul paul 649700 Nov 29 11:54 advansys-driverdisk.zip
-rw-rw-r--. 1 paul paul 4175872 Nov 29 11:54 advansys-fc2-boot.iso
-rw-rw-r--. 2 paul paul 108723 Nov 29 11:54 dkms-2.2.0.2-1.noarch.rpm
-rw-rw-r--. 2 paul paul 132593 Nov 29 11:54 dkms-2.2.0.2-1.src.rpm
-rw-rw-r--. 1 paul paul 10400 Nov 29 11:54 HEADER.html
-rw-rw-r--. 1 paul paul 287602 Nov 29 11:54 kernel-advansys-0.9.1-1dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 228573 Nov 29 11:54 kernel-advansys-0.9.1-1dkms.src.rpm
-rw-rw-r--. 1 paul paul 620915 Nov 29 11:54 kernel-advansys-0.9.2-1dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 457045 Nov 29 11:54 kernel-advansys-0.9.2-1dkms.src.rpm
-rw-rw-r--. 1 paul paul 607931 Nov 29 11:54 kernel-advansys-0.9.3-2dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 461727 Nov 29 11:54 kernel-advansys-0.9.3-2dkms.src.rpm
-rw-r--r--. 1 paul paul 1234354 Nov 29 11:54 kernel-advansys-0.9.4-1dkms.noarch.rpm
-rw-r--r--. 1 paul paul 907444 Nov 29 11:54 kernel-advansys-0.9.4-1dkms.src.rpm
-rw-rw-r--. 2 paul paul 1286253 Nov 29 11:54 kernel-advansys-0.9.5-1dkms.noarch.rpm
-rw-rw-r--. 2 paul paul 981819 Nov 29 11:54 kernel-advansys-0.9.5-1dkms.src.rpm
[paul@zion ~]$ date; python -c "from selinux import restorecon; restorecon('/home/paul/cfo-repo/drivers/advansys', recursive = True)"; date
Tue Nov 29 12:03:51 GMT 2011
Tue Nov 29 12:03:52 GMT 2011
[paul@zion ~]$ ls -l --time=ctime /home/paul/cfo-repo/drivers/advansys/total 11896
-rw-rw-r--. 1 paul paul 649700 Nov 29 12:03 advansys-driverdisk.zip
-rw-rw-r--. 1 paul paul 4175872 Nov 29 12:03 advansys-fc2-boot.iso
-rw-rw-r--. 2 paul paul 108723 Nov 29 12:03 dkms-2.2.0.2-1.noarch.rpm
-rw-rw-r--. 2 paul paul 132593 Nov 29 12:03 dkms-2.2.0.2-1.src.rpm
-rw-rw-r--. 1 paul paul 10400 Nov 29 12:03 HEADER.html
-rw-rw-r--. 1 paul paul 287602 Nov 29 12:03 kernel-advansys-0.9.1-1dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 228573 Nov 29 12:03 kernel-advansys-0.9.1-1dkms.src.rpm
-rw-rw-r--. 1 paul paul 620915 Nov 29 12:03 kernel-advansys-0.9.2-1dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 457045 Nov 29 12:03 kernel-advansys-0.9.2-1dkms.src.rpm
-rw-rw-r--. 1 paul paul 607931 Nov 29 12:03 kernel-advansys-0.9.3-2dkms.noarch.rpm
-rw-rw-r--. 1 paul paul 461727 Nov 29 12:03 kernel-advansys-0.9.3-2dkms.src.rpm
-rw-r--r--. 1 paul paul 1234354 Nov 29 12:03 kernel-advansys-0.9.4-1dkms.noarch.rpm
-rw-r--r--. 1 paul paul 907444 Nov 29 12:03 kernel-advansys-0.9.4-1dkms.src.rpm
-rw-rw-r--. 2 paul paul 1286253 Nov 29 12:03 kernel-advansys-0.9.5-1dkms.noarch.rpm
-rw-rw-r--. 2 paul paul 981819 Nov 29 12:03 kernel-advansys-0.9.5-1dkms.src.rpm
[paul@zion ~]$
Is this expected behaviour? Is there a way I can use the python binding but get the same behaviour as the shell command?
Paul.
12 years, 3 months
SELinux policy building questions
by Dmitry Makovey
Hi,
this year we have decided to adopt SELinux as part of our standard platform.
However we also build quite a few in-house RPM packages. What we're trying to
do now is to marry those two efforts, and make those packages we build provide
SELinux policies. Admittably we're using RHEL6 for this purpose. I have
already collected some information, and it looks like building SELinux modules
and providing them with the package is the way to go.
I have started building module from scratch based on what we had to do
manually to get rid of SELinux warnings (running SELinux in permissive mode at
the moment):
$ chcon -R -h -t httpd_sys_content_t -u system_u /usr/libexec/foo*
$ chcon -R -t httpd_sys_rw_content_t -u system_u /var/lib/foo
$ setsebool -P httpd_can_network_connect_db on
which resulted in policy:
foo.fc:
/usr/libexec/foo(.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/foo gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
with foo.if and foo.te pretty much empty.
What I struggle with are several things:
1. can I set up boolean's value from the policy module?
2. I had to manually relabel /usr/libexec/foo* and /var/lib/foo via "fixfiles"
after I added policy via:
$ semodule -i foo.pp
Can I create module in a way that upon it's activation it'll relabel all
needed pieces? (I played with semodule's "-d" and "-e" with no effect)
3. I have seen several suggestions on how to package and install .pp files
with RPM:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux
vs
http://selinuxproject.org/page/RPM
latter seems to be more natural at least from logic/syntax perspective. Which
one is preferred for RHEL6 (I know it's a fedora list, but I didn't see/find
corresponsing RHEL list and sysadmin@ ML is kind of low on traffic and answers
:( ).
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
12 years, 3 months
Where does Fedora 16 log boot-time SELinux denials?
by Mark Montague
Where does Fedora 16 log boot-time SELinux denial messages? Under
Fedora 14 and previous (for sure) and under Fedora 15 (I think),
messages were logged via syslog and appeared in /var/log/messages until
auditd started. However, this is apparently not happening with Fedora
16 -- how can I get these denial messages?
Details:
I have a Fedora 16 server install (no X Windows and with network.service
replacing NetworkManager.service, but otherwise nearly an out-of-the-box
installation), and everything works OK until I do "setsebool -P
secure_mode_insmod=on" and reboot. At that point -- not unexpectedly --
a number of kernel modules fail to load. For example, from
/var/log/messages:
Nov 26 03:35:32 f16dev1 nfs-lock.preconfig[897]: FATAL: Error inserting
lockd (/lib/modules/3.1.2-1.fc16.x86_64/kernel/fs/lockd/lockd.ko):
Operation not permitted
Network interfaces such as eth0 also fail to come up. However, there
are no SELinux denial messages logged to /var/log/messages, to any other
file in /var/log, or to /var/log/audit/audit.log.
Setting secure_mode_insmod=off and rebooting results in the system
coming back up with all services started and no error messages. So I'm
sure there should be some SELinux denials when I boot with
secure_mode_insmod=off that I'm not seeing.
I've searched the web and read the auditd and systemd man and web pages
without finding a solution. Any idea how to get the SELinux denial
messages that get generated before auditd is started?
--
Mark Montague
mark(a)catseye.org
12 years, 3 months
mount -t nfs -o context not working (RHEL 6)
by Konstantin Ryabitsev
Hi, all:
I was trying to mount NFS with the context= option, but for some reason
it's not doing what the FAQs say it should be doing.
# mount | grep nfs
ra:/repos/pub on /repos/pub type nfs (ro,soft,intr,fg,rsize=8192,wsize=8192,context="system_u:object_r:git_system_content_t:s0",vers=4,addr=192.168.19.202,clientaddr=192.168.19.203)
# ls -Zad /repos/pub
drwxr-xr-x. 4294967294 4294967294 system_u:object_r:nfs_t:s0 /repos/pub
Not sure what I'm doing wrong here -- is the context= option not
supported on RHEL 6, or am I just missing something obvious?
Regards,
--
Konstantin Ryabitsev
Systems Administrator
The Linux Foundation
Montréal, Québec
12 years, 3 months
sharing directory for 2 different contexts?
by Jeronimo Calvo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Folks,
How can i share the same directory for 2 different contexts? lets say http_sys_content_t and another one, so both could access the data ?
Cheers,
Jeronimo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJOxDDbAAoJEBwnVeJAzoHBULoQAIfK4Gu1ySrX4Eyr88FFC6Rl
vzYbAKrxqLxQpLX0kDWXbhVlBHCv31GDQ/DCQUlH1XFe6kfGFYIl3i/PjwaCB7bd
HTYpILAgWDVT8XIZvVeN9VZ7/4ovRc2zQpAl0+F8LTXfnAeb4r1x0C6oM32bGQFz
wf8AbDDdRML1pgfdnbPOTaWE7KvUKAH3K2DVVHiKtvFTnKgJGXBogVXRAL03Qb3e
Y8Y3pokjbvSiSDwZv/yIltqguMNnrRNaacaJx4G+YQcxm1A48FpWR7RY7suNWiwa
/UlPS5STum54mX/sdW3sD5AjADSIGXtJrEWMfbnA232bxEBtuSutkNT6Ft2v3MK+
7Vz7Ms+TR6Z+P2KQA8fPvUIeHWuTVkY0hX/G+YzsYJCqBIDLf+BZZgazwP/G0Nnw
ofKlj0z4VcPM6VI4StwAh8x5vLOJvKl2UfvU5y6B8vwNhCjL/cSjXDG1DZ1VQR/U
8Ux2zidhRGpJRgLl0OJMZjgKznZXeOHZyf8CeIGwMNcYefU/8bXM2tgaVBrMGACY
hlnDII1CYXyXkTDRXCOPjpvLVaKP3f1zwQIKVR/GxwBfNansx1FOhrJMDVhjMozg
N7+tXIggj8YRLPH5vM2OfHPqFcoCcEpUaSOfnyPeZ/JNFIaqMJXQLlX5JBkh/w4M
xTHH8lpQIt0ijEE/p58B
=mLgJ
-----END PGP SIGNATURE-----
12 years, 4 months
Remove\fix old avc's
by Frank Murphy
on an F16 box, sealert is empty.
but:
~$ ausearch -m avc
----
time->Sat Oct 29 15:27:51 2011
type=SYSCALL msg=audit(1319898471.737:80): arch=c000003e syscall=137
success=no exit=-13 a0=7f725ff344ae a1=7fff730a6850 a2=1000
a3=7fff730a65e0 items=0 ppid=3424 pid=3435 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="restorecon" exe="/sbin/setfiles"
subj=system_u:system_r:setfiles_t:s0 key=(null)
type=AVC msg=audit(1319898471.737:80): avc: denied { getattr } for
pid=3435 comm="restorecon" name="/" dev=sysfs ino=1
scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
----
time->Sat Oct 29 15:27:51 2011
type=SYSCALL msg=audit(1319898471.902:81): arch=c000003e syscall=137
success=no exit=-13 a0=7ffdb5d014ae a1=7fff2da8f300 a2=1000 a3=0 items=0
ppid=3436 pid=3437 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1319898471.902:81): avc: denied { getattr } for
pid=3437 comm="setroubleshootd" name="/" dev=sysfs ino=1
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
----
time->Sat Oct 29 15:30:43 2011
type=SYSCALL msg=audit(1319898643.744:84): arch=c000003e syscall=137
success=no exit=-13 a0=7fc6a4f444ae a1=7fffc431d1c0 a2=1000 a3=0 items=0
ppid=3728 pid=3729 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1319898643.744:84): avc: denied { getattr } for
pid=3729 comm="setroubleshootd" name="/" dev=sysfs ino=1
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
----
time->Sat Oct 29 15:30:43 2011
type=SYSCALL msg=audit(1319898643.650:83): arch=c000003e syscall=137
success=no exit=-13 a0=7fd65c6754ae a1=7fff4322e2c0 a2=1000
a3=7fff4322e050 items=0 ppid=1393 pid=3727 auid=4294967295 uid=93 gid=93
euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295
comm="exim" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0 key=(null)
type=AVC msg=audit(1319898643.650:83): avc: denied { getattr } for
pid=3727 comm="exim" name="/" dev=sysfs ino=1
scontext=system_u:system_r:exim_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
This box was upgraded from F15,
so what do I need do about these avcs'
and why they don't show up in sealert.
Currently
selinux-policy-targeted-3.10.0-51.fc16
there seems to be an upgrade available:
selinux-policy-targeted-3.10.0-55.fc16
will it make any difference to above?
--
Regards,
Frank Murphy
UTF_8 Encoded
Friend of fedoraproject.org
12 years, 4 months